Benzer bir sunumlar

2
Orientation • Some attacks inevitably get through network protections and reach individual hosts • In Chapter 7, we looked at OS and host hardening • In Chapter 8, we look at application hardening • This is the last chapter on protection Copyright Pearson Prentice-Hall 20102

6
8-1: Application Security Threats • Example of XSS – Attacker sends the victim an e-mail message with a link to a legitimate site – The link includes a script that is not visible in the browser window – The intended victim clicks on the link and the victim is taken to another webpage – The webserver sends back a webpage including the script – The script is invisible to the user (script executes) – The script may exploit a vulnerability in the browser or another part of the user’s software Copyright Pearson Prentice-Hall 20106

8
8-1: Application Security Threats • SQL injection attacks on databases – Programmer expects an input value (text, number, etc) • This may be used as part of an SQL query or operation against database – Say to accept a last name as input and return the person’s telephone number – Attacker enters an unexpected string • For example: a last name followed by a full SQL query string • The program may execute both the telephone number lookup command and the extra SQL query • This information should not be available to the attacker – Attacker may even delete an entire data table Copyright Pearson Prentice-Hall 20108

14
8-4: Securing Custom Applications General • Be ware of problems in customized applications – Written by a firm’s own programmers or outsourced – Programmers may not be well trained for secure software development methodology or coding • User input without checking is needed – Testing/validation Copyright Pearson Prentice-Hall 201014

31
8-11: Browser Attacks and Protections • Other Client-Side Attacks – T urn the computer into an unintended file server – Executing a command-line interface (CLI) to open a shell • Then attacker can enter many commands – Automatic redirection to unwanted webpage • User may be automatically directed to a malicious website – Cookies • Cookies are placed on user computer – can be retrieved by a website – can contain private information • Can be used to track users at a website • Accepting cookies may be necessary to use many websites Copyright Pearson Prentice-Hall 201031

38
8-14: E-Mail Security • Employee training is needed for the following – Company e-mail is not private • company has right to read – Your messages may be forwarded without permission – Never put anything in a message that you would not want to see in court, printed in the newspapers, or read by your boss – Never forward messages without permission Copyright Pearson Prentice-Hall 201038

41
8-16: E-Mail Retention • Benefits of Retention – Major part of corporate memory – Often need to retrieve some old mails • Disadvantages of Retention – Can contain potentially damaging information – Expensive process because of required resources • Accidental Retention – Even if firms delete e-mail from mail servers, – May be stored on backup tapes – Users will often store copies on their own computers • There can be Legal Archiving Requirements Copyright Pearson Prentice-Hall 201041

58
8-26: TCP/IP Supervisory Applications • TCP/IP Supervisory Protocols – Many supervisory protocols in TCP/IP • ARP, ICMP, DNS, DHCP, LDAP, RIP, OSPF, BGP, SNMP, etc. • The targets of many attacks – Such as SNMP • GET messages to get information from a managed object • SET messages to change the configuration of a managed object • IT security people wust work with the networking staff – To ensure that appropriate security is being applied to supervisory protocols Copyright Pearson Prentice-Hall 201058